The state of threats to electric entities: 4 key findings from the 2020 Dragos report
Introduction
In January 2020, industrial cybersecurity firm Dragos released the North American Electric Cyber Threat Perspective, referred to as the Dragos report. This report summarized findings regarding threats and adversaries that focus on critical infrastructure and is intended to be a snapshot of the threat landscape in January 2020 and which is expected to evolve over time.
This article will detail five key findings from the Dragos report and will explore the vulnerability of power outages, the threat of supply chain compromise, solar generation utility communications outage in the United States, recommendations for asset owners and operators and the relative position of the United States. We’ll take a closer look at the report and leave you with a more solid understanding of the industrial cybersecurity threat landscape.
Learn ICS/SCADA Security
1. Power outages as opportunities for adversaries
A vulnerability that electric entities face stems from the fact that planned outages and maintenance periods can provide adversaries with opportunities to learn about the utility for a future disruption or attack. Examples of what they can learn about include the timing of planned outages, the utility’s operations, recovery procedures and knowledge regarding any anomalous activity during an outage with a high likelihood of not being detected during that time.
When natural disasters occur and the utility schedules a mass outage, this also provides opportunity for adversarial reconnaissance.
The problem is that when outages occur, external entities are allowed into operational environments of the electric entity to provide service. This gives them a prime opportunity to infect an operations technology (OT) environment, whether intentionally or unintentionally. For example, in 2018, Schneider Electric alerted customers of two possibly infected USB sticks that were shipped out to them. (No events caused by this were reported.)
2. Supply chain compromise and CIP-013
One of the most concerning findings of the Dragos report was the significant rising threat of supply chain compromise. Electric entities rely upon a supply to produce electricity and adversaries bent on attacking the entity may focus on it to cause disruption. An example of this supply chain attack is when natural gas pipelines are attacked to disrupt energy generation. While Dragos has not specifically observed a systemic attack like this at this time, it still remains a threat.
Disruption of the supply chain of the raw elements necessary for electric entities is not the only threat to the supply chain. Dragos specifically mentions third-party vendors, original equipment manufacturers and telecommunication providers as being other potential points of attack.
The Dragos report includes which activity or threat groups exist as of January 2020 and what their different potential actions may include. As of this time, Xenotime is the only activity group deemed to be a potential threat to electric entities. In 2017, this group disrupted a Saudi oil and gas facility, and in 2018, Xenotime expanded its capabilities to include North America.
The Dragos report puts the threat landscape for electric entities into perspective by referring to CIP-013 standard. This NERC CIP Reliability standard governs supply chain risk management and adheres to cybersecurity regulations mandating a minimum level of cybersecurity for electric entities. It holds that these entities must use best practices for cybersecurity, which is unique compared to the other areas of the world. Despite the relatively high level of vulnerability electrical entities in the United States face, CIP-013 leaves us with a beacon of hope against existing and future threats and is definitely encouraging.
3. OT communications gateways
Another key finding of the Dragos report is that adversaries have the ability to exploit vulnerabilities within OT communications to disrupt energy production facilities.
Recently, adversaries exploited firewall vulnerabilities for a solar energy utility in Utah. Attackers targeted a known Cisco firewall vulnerability in the firewalls between IT systems from the utility’s OT to impact operations by causing unexpected device reboots. This amounted to communications outages between sites, field devices and the control center and lasted for less than five minutes.
Dragos found that despite a minimal impact from the incident, the disruption resulted in a disruption in generation network connectivity. If this exploitation had been more severe and longer lasting, the incident could have caused disastrous consequences at the utility.
4. The state of threats to electric entities in the United States
The Dragos report highlighted concerning aspects about the threat landscape for United States (and North American) electric entities. Of the 11 activity groups that Dragos tracks, seven can potentially impact these entities: Xenotime, Parisite, Dymalloy, Allanite, Magnallium, Covellite and Raspite.
Xenotime is identified as being especially a threat because of its ability to cause supply chain compromise. The increased activity of Magnallium has been observed to match the escalation of tensions with Iran in the Middle East; however, it is not suspected of being a state-sponsored activity group.
These threats should not lead you to think that the electric entity threat landscape in the United States is in dire shape compared to the rest of the world. With the implementation of CIP-013, the supply chain compromise risk by Xenotime and other adversaries will lose its teeth; complying with the minimum level of cybersecurity mandated by CIP-013 may result in impactful improvement of the risk landscape.
Conclusion
The Dragos report provides an insightful look into the electric entity threat landscape as of January 2020. It highlights the vulnerabilities and activity groups faced by electric entities in the United States, looks at recent cyberattacks overseas and is peppered with both the rising risk from supply chain compromise and the coming relief that CIP-013 will provide.
All things said, many will be reassured by this report. While we can see that adversaries do pose a serious danger to electric entities, upcoming regulations may provide the necessary nudge towards a more secure critical infrastructure.
Learn ICS/SCADA Security
Sources
Learn ICS/SCADA Security
Build your critical infrastructure security skills with hands-on training in Infosec Skills. Train how you learn best:- Practice realistic scenarios
- Build hands-on skills
- Learn live or on-demand
- Get certified
In this Series
- The state of threats to electric entities: 4 key findings from the 2020 Dragos report
- Securing operational technology: Safeguard infrastructure from cyberattack
- Operation technology sees rise in targeted remote access Trojans and ransomware
- Vehicle hacking: A history of connected car vulnerabilities and exploits
- Operational technology compromises: Low sophistication, high-frequency
- ICS/SCADA threats and threat actors
- Incident response and recovery best practices for industrial control systems
- BPCS & SIS
- Security Technologies for ICS/SCADA environments
- Data Loss Protection (DLP) for ICS/SCADA
- ICS/SCADA Wireless Attacks
- Security controls for ICS/SCADA environments
- SCADA & security of critical infrastructures [updated 2020]
- CIP (Common Industrial Protocol): CIP messages, device types, implementation and security in CIP
- Open vs proprietary protocols
- Critical security concerns facing the energy & utility industry
- ICS/SCADA Social Engineering Attacks
- ICS/SCADA Malware Threats
- Biggest threats to ICS/SCADA systems
- SIEM for ICS/SCADA environments
- Intrusion Detection and Prevention for ICS/SCADA Environments
- Firewalls for ICS/SCADA environments
- ICS/SCADA Security Technologies and Tools
- Modbus, DNP3 and HART
- RS-232 and RS-485
- BACnet
- TASE 2.0 and ICCP
- FOUNDATION Fieldbus
- Account Management Concepts for ICS/SCADA environments
- PROFIBUS and PROFINET
- ICS Strengths and Weaknesses (from security perspective)
- Access Control Implementation in ICS
- ICS Components
- Access Control Models for ICS/SCADA environments
- ICS/SCADA Security Specialist/Technician Role
- Credential Management and Enforcement for ICS/SCADA environments
- IT vs ICS
- Process control network (PCN) evolution
- ICS protocols
- Saving lives with ICS and critical infrastructure security
- ICS/SCADA Access Controls
- Types of ICS
- Physical security for ICS/SCADA environments
- Introduction to SCADA security
- ICS/SCADA security overview
- Who Is Targeting Industrial Facilities and ICS Equipment, and How?
- Configuration of Anti-Virus and Anti-Malware Software within an ICS Environment
- MyPublicWiFi – A Windows Utility to manage ICS
- Situational awareness and ICS Using GRASS MARLIN
- Cyber risks for Industrial environments continue to increase
- Advice to a New SCADA Engineer
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Critical infrastructure
Securing operational technology: Safeguard infrastructure from cyberattack
Critical infrastructure
Operation technology sees rise in targeted remote access Trojans and ransomware
Critical infrastructure
Vehicle hacking: A history of connected car vulnerabilities and exploits
Critical infrastructure
Operational technology compromises: Low sophistication, high-frequency